Security policies are those “talk is cheap” enablers of compliance and risk management. The problem is they’re often poorly written, disjointed, inaccurate and so on – often creating the very risks they’re supposed to mitigate.
Everyone treats policies differently, so your needs and mileage will no doubt vary. For what it’s worth, I wrote an article for SearchEnterpriseDesktop.com regarding Windows desktop security policies. If you need to create your own policies or revamp your existing ones, I included a security policy template which can be tweaked to suit your business needs.
Keep in mind that you don’t want to create policies just for the sake of having policies. This practice can end up creating more problems than it solves. You need to understand where your business is at risk and then shape your policies around those risks. Once you understand where the focus is needed, you can go about building out your policy documents into something that truly enables information security in your business.
For further reading including common oversights and mistakes, check out my security policy articles, podcasts and webcasts.
Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.